WordPress Plugin Vulnerabilities

Kali Forms < 2.4.10 - Unauthenticated Remote Code Execution via form_process

Description

The plugin is vulnerable to Remote Code Execution via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

Proof of Concept

Affects Plugins

Plugin icon
kali-forms
Fixed in 2.4.10

References

CVE
CVE-2026-3584
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
ISMAILSHADOW
Verified
Yes
WPVDB ID
df32569a-e4fe-430b-8310-df7be80d7249

Timeline

Publicly Published
2026-03-20 (about 3 months ago)
Added
2026-03-20 (about 3 months ago)
Last Updated
2026-06-19 (about 4 days ago)

Other

Published
Title
Published
2024-10-18
Title
Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Unauthenticated (Limited) Remote Code Execution
Published
2015-04-02
Title
SimpleCart - File Upload & Execution
Published
2025-07-01
Title
Alone < 7.8.5 - Unauthenticated Remote Code Execution
Published
2014-08-01
Title
Is-human <= 1.4.2 - Remote Comm& Execution
Published
2025-01-06
Title
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting